In some limited circumstances we will process your personal data on the basis of your consent or where necessary to perform a contract. We will also process personal data where necessary for compliance with a legal obligation, where it is in your vital interests or where it is in our legitimate interests.

We may from time to time process personal data that is considered ‘special category data’ that is data revealing:

racial or ethnic origin

political opinions

religious or philosophical beliefs

trade union membership

genetic or biometric data

data concerning health

data concerning a person’s sex life or sexual orientation

Where we process special category data, we will only do so where an applicable lawful basis applies. This may include:

where we have your explicit consent

where processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and protection

where processing is necessary for the establishment, exercise or defence of legal claims

where processing is necessary for reasons of substantial public interest

TPR will also process personal data for law enforcement purposes. These purposes include the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties. We will do this to protect members of the public against financial loss due to dishonesty, malpractice or other seriously improper conduct related to the administration of workplace pensions.

TPR will often process personal data for law enforcement purposes without the knowledge of those we investigate. We will only do this where to do otherwise would prejudice our investigations.

c) How we gather personal data

The majority of personal data we gather is provided to us by you for a variety of different reasons, including:

Where you are legally required to provide us information

Where you make an enquiry

Where you submit a whistleblowing report

Where you visit our website

Where you visit our office

Where you visit an event organised by TPR

Where you apply for a job vacancy

Where you nominate a contact

Where you have made an information request

Where you have made a complaint

Where you make a media enquiry

We also process personal data that has been obtained indirectly, for example from other government organisations and public bodies and from publicly available sources such as the Open Register.

Where you are legally required to provide us information

TPR will process personal data where you are legally required to provide it. The following sets out a non-exhaustive number of reasons why you may be required by law to provide us information:

If you are a trustee or a manager of an occupational pension scheme, you will be required to provide TPR with information pertaining to your pension scheme in the form of a scheme return. We use the scheme return to gather information about pension schemes. The data gathered helps us maintain our register of schemes and to identify schemes where there’s a risk or potential risk to members’ benefits. We also use this information to calculate annual levy charges.

If you are an employer, you are required by law to complete the declaration of compliance. Failure to do so may lead to enforcement action being taken against you.

Where you are applying for master trust authorisation, we will process personal data (including disclosure to persons outside of TPR) in order to determine whether those persons involved in the master trust scheme are ‘fit and proper’ according to the Pensions Schemes Act 2017 and underlying Regulations, and for the purpose of the overall assessment and decisions in relation to authorisation applications. We will also process your personal data in relation to any of the authorisation criteria for ongoing supervision and monitoring purposes.

Under section 72 of the Pensions Act 2004, TPR may require you to produce any document, or provide any other information which is relevant to the exercise of our functions. Failure to comply with a section 72 request is a criminal offence and may lead to TPR bringing criminal proceedings against you.

We will use your contact information provided for any of the above purposes to send you information by newsletter (email or post) pertinent to your role as a trustee or representative.

Where you make an enquiry

If you’ve made an enquiry with us we’ll hold your personal data for the purpose of dealing with your enquiry. We don’t need to collect a lot of information but we do need to know who you are, what you’ve asked and how we can reply to you.

You can make an enquiry in a number of different ways, including by:

calling our Customer Support team

submitting your enquiry via our enquiry web form

writing to us

When you contact TPR we collect your information to enable us to respond to your query. We record all calls made to us for training and compliance purposes, to improve our customer service provided to you and to verify information provided to us.

After making an enquiry, we may contact you to complete a customer satisfaction survey. If you would prefer not to receive communications of this nature, please let us know.

Where you submit a whistleblowing report

If you submit a whistleblowing report we will ask you for information related to your concerns. This will include details about your employer and your pension.

You may choose to remain anonymous so that no one, including TPR, will know your identity. However, if TPR choose to investigate your report your identity may become apparent at a later date – for example if you are a sole employee and you decide to report your employer anonymously, it may become apparent that you are the source of the whistleblowing report.

If you decide to disclose your identity to TPR we will do our best to protect it and keep it confidential but we cannot give any categorical assurances as circumstances may mean that disclosure of your identity becomes unavoidable – for example if we are ordered by a court to disclose your identity.

Where you visit our website

When someone visits thepensionsregulator.gov.uk we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.

When you visit our website a cookie identifies and tracks your visit whilst collecting statistical information. Cookies tell us the pages that have been visited and collect information about how many times certain pages have been visited.

The cookie has no way of identifying you, it doesn’t hold any of your personal data nor can it be used retrospectively to track you.

Cookies help us to assess the effectiveness of our website and can provide useful information following publications. For more information about the cookies that we use go to cookies.

If you’ve ‘signed up’ to receive any of TPR’s news services we’ll only hold the information that we need to deliver the service. Emails you’ll receive will give you the option to unsubscribe and where you do so we will remove your contact information from our mailing lists.

If you’ve completed or are completing learning on the education portals, then we’ll hold some of your personal data. If you forget your login details or its necessary to verify your status we’ll need to match the query to the right person.

Where you visit our office

If you visit our office we ask that all visitors sign in and out of reception. You may also be required to provide proof of identification but this information is not recorded.

Any CCTV in operation in and around our offices is not controlled or managed by TPR.

The information we collect where you visit our office will be processed for security and safety reasons which is in our legitimate interests.

Where you visit an event organised by TPR

TPR occasionally hosts and organises events that aim to promote our role as a regulator among our regulated community.

If you are a key industry stakeholder, we may invite you to attend or speak at our events. Where this is the case, we will process your contact information and may ask if you have any specific dietary requirements. We may also ask if you have a disability so that we can make arrangements to accommodate your attendance.

The information we collect where you visit an event organised by TPR will be processed on the basis of your consent.

Where you apply for a job vacancy

All of the information you provide when applying for a vacancy with TPR will be used for the purpose of progressing your application and assessing your suitability for employment with us.

We require you to provide us your CV and a covering letter.

If you are given a conditional offer of employment a third party processor will conduct pre-employment checks which will require you to provide:

proof of your identity, including your national insurance number, your contact details and your address history

proof of your qualifications

a criminal records check

contact details of referees

You will be asked to provide us with equal opportunities information. Providing us this information is not mandatory and will not affect the outcome of your application in anyway. Any information you do provide will be used to produce and monitor equal opportunity statistics.

Should you be successful in your application, you will be asked to provide your bank details in order to process salary payments.

From time to time we may receive personal data from recruitment agencies. Where we do so, we will process that data in accordance with this privacy notice.

The information we collect where you apply for a job vacancy will be processed in order to perform a contract or take steps prior to entering into a contract. Any special category information you provide us will be processed for the purposes of carrying out obligations and exercising specific rights in the field of employment law.

Where you nominate a contact

If you are a nominated contact, we will have received your contact information from an individual with the necessary consent or authority to provide us with your personal data. In most situations this will be your employer or your client. You may opt-out to receive these communications or update who should be the nominated contact by visiting our ‘nominate a contact’ webpage.

Where you make an information request

As a public body, you have the right to ask us for information that we hold under the Freedom of Information Act 2000 and the Environmental Information Regulation 2004. If we process your personal data, you also have the right to make a subject rights request under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

If you make an information request we will process your data in order to respond to your request. At a minimum we will need your contact details so that we can identify you. We may ask you for further personal information depending on the type of request you make.

The information we collect where you make an information request will be processed in order to comply with a legal obligation.

Where you have made a complaint

If you make a complaint to TPR we will ask for all the information necessary to investigate your concerns. This will include your personal information and that of others who are involved.

If you make a complaint against a member of TPR staff, we will usually have to disclose your complaint and identity to the member of staff concerned to allow them to explain the events that have given rise to the complaint. If you would prefer we not share your identity with the person you’re complaining about, we will endeavour to keep your identity confidential but this cannot be guaranteed.

Where you make a media enquiry

TPR aims to deliver effective and targeted press releases, blog posts and speeches. Where you make a media enquiry to our press team via our Media Hub we will process your personal data to respond to your request.

Data obtained from other sources

We regularly obtain personal data from other government and public bodies including our sponsoring body the Department for Work and Pensions (DWP) and Her Majesty’s Revenue and Customs (HMRC) for use in connection with any of our statutory functions.

In some circumstances we collect personal data from publicly available sources. This data may be used in a number of different ways including for intelligence purposes and for us to send communications to key industry stakeholders.

TPR regularly collects and processes personal data where liaising with suppliers for the performance of contracts offered on publically available digital marketplaces including on the Crown Commercial Service website.

d) Sharing personal data

Where we are allowed to do so by law, we may share your personal data with other public or professional bodies, as well as government organisations to support them in their purposes and functions. Where we regularly share data with these bodies we have agreements in place to govern the sharing of information and to ensure compliance with the law. For more information see memorandum of understanding.

We may share your personal data with private organisations to provide services to us in relation to our statutory functions, for example, to produce a skilled persons report or to provide legal services. We require and ensure full adherence with data protection via our instructions and contracts with such entities.

For more information related to the arrangements we put in place with those we share personal data with, see doing business with us.

Where considered appropriate to do so we may provide a credit reference agency with your personal data in order to conduct a credit reference check against you. This will be done for debt collection purposes.

We will never share your personal data for commercial or marketing purposes.

Transferring personal data outside the EU

TPR doesn’t ordinarily transfer personal data outside the European Union (EU). However, there may be occasions where we transfer your data to countries outside the EU when conducting litigation as part of a civil or criminal investigation. Where we do so, we rely on the derogations in relation to the conduct of litigation in the GDPR and the DPA 2018, and only to the extent required.

We may also transfer data to our data processors who store data outside the EU. To ensure that your personal information receives an adequate level of protection we make sure that an adequacy decision has been made by the European Commission and/or we put in place standard contractual data protection clauses in accordance with our obligations under the GDPR.

e) Retention periods

TPR will hold your data for as long as is necessary for our statutory functions and objectives and for a set period of time after. For more information related to the length of time we store personal data see our retention schedule (PDF, 463kb, 10 pages).

f) Your rights

If we hold your personal data then you have certain rights in relation to what we do with it.

Access

You have the right to access your personal data. Where you request access to your personal data we will confirm whether or not we hold information related to you, and if we do hold your data we will provide you a copy of your personal data free of charge. We may not provide information to you where to do so would prejudice the exercise of our statutory functions or where other exemptions apply.

Rectification, erasure, restriction and data portability

In certain circumstances, you have the right to have inaccurate data corrected and incomplete data completed; you may also have the right to have your personal data erased, its use restricted and your data transmitted in a commonly used format.

Objection

You have right to object to the processing of your personal data where we process that data for the performance of a task carried out in the public interest, or where it is in our legitimate interests.

Right to withdraw consent

Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at anytime without affecting the lawfulness of processing before withdrawal. If you do so we may no longer be able to send you communications you have signed up for or other guidance information.

If you wish to make a request exercising any of the rights set out above, please write to us:

g) Data security

Keeping your personal data safe is a top priority. We’ve put security measures in place to protect your personal data and to maintain our reputation. TPR holds ISO 27001 certification and complies with our responsibilities to maintain high levels of security under the GDPR and the DPA 2018.

h) Complaints process

TPR will endeavor to meet the highest standards when collecting and using your personal information. For this reason, we take any complaint we receive about the way in which we handle your data very seriously. We encourage you to bring your concerns to our attention. For more information about how to make a complaint see our complaints process.

You can also raise your concerns to our DPO by email at dpo@tpr.gov.uk.

If you have already made a complaint to us and are not happy with the outcome, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

i) Privacy notice review

This privacy notice was drafted to be as concise and transparent as possible. For this reason, this notice does not provide an exhaustive outline of all the ways in which we process your data. If you think we’ve got something wrong, missed something out or you would like more information about the way in which we process your personal data, please let us know via the contact information provided above.